Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PowerShell Remoting Usage #143

Open
mr-burnse opened this issue Oct 14, 2016 · 3 comments
Open

PowerShell Remoting Usage #143

mr-burnse opened this issue Oct 14, 2016 · 3 comments

Comments

@mr-burnse
Copy link

This is a really great project! I'm looking at potentially incorporating some of it's functionality in a project I've been working on. In my case I need to execute these functions on a remote endpoints (via PS Remoting) that will not have the module locally imported. Any thoughts on how I might accomplish this? The PS Remoting session is established with C# & the System.Management.Automation library. Cheers!

@mr-burnse
Copy link
Author

I should add that, in my scenario...implicit module importing will not work as the target endpoint cannot be aware of any credentials to connect back to the remote server.

@jaredcatkinson
Copy link
Member

jaredcatkinson commented Oct 17, 2016

Hey Evan,

Thanks for the kind words! I'm glad you are enjoying the project.

I've created a Github project called PowerForensics Portable (https://github.com/Invoke-IR/PowerForensicsPortable), that leverages PowerForensics' public API. One of the cool things about PowerForensics being a .NET assembly is that it is truly a "forensics" library complete with publicly exposed classes and methods.

PowerForensics Portable loads the PowerForensics assembly in memory using the System.Reflection.Assembly class' Load method. The basic idea is that you pass a .NET DLL as a byte array to the Load method and it will load that DLL in memory and expose all public functions. I then wrote a function to replicate each PowerForensics cmdlet's functionality by calling the corresponding public API. For instance, if we want to parse the UsnJrnl, then I can call [PowerForensics.Ntfs.UsnJrnl]::GetInstances('.\C:') which parses the UsnJrnl on the Logical C: volume.

A little known feature (at least something that I just learned about) of Invoke-Command is the ability to run locally defined functions on a remote host. So by importing the PowerForensicsPortable module, you are defining all of the "Portable" functions locally. You can then use Invoke-Command to execute them on a remote system over PowerShell Remoting.

Example:
Invoke-Command -ScriptBlock ${function:Get-ForensicUsnJrnlPortable} -ArgumentList '\\.\C:' -ComputerName infected.invoke-ir.com -Credential invoke-ir.com\jared

My colleague Matt Graeber also wrote a proxy function for Invoke-Command that leverages PowerShell's AST to dynamically resolve function dependencies. This helps the syntax become a little more straight forward. The Invoke-Command proxy function is included in PowerForensics Portable, so it is there once the module is loaded locally.

Example:
Invoke-Command -ScriptBlock {Get-ForensicUsnJrnlPortable -VolumeName \\.\C:} -ComputerName infected.invoke-ir.com -Credential invoke-ir.com\jared

@sahar55
Copy link

sahar55 commented May 7, 2017

Hi jared, is your PowerForensicsPortable still ongoing project?
I see the last update was 10month ago and some of the artifact acquisition is not there, are you planning on adding it?
Amazing jobs on those tools, truly very helpful

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants